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Abstract 

We present foundational work on standard bases over rings and on Boolean Grobner 
bases in the framework of Boolean functions. The research was motivated by our 
collaboration with electrical engineers and computer scientists on problems arising 
from formal verification of digital circuits. In fact, algebraic modelling of formal 
verification problems is developed on the word-level as well as on the bit-level. The 
word- level model leads to Grobner basis in the polynomial ring over while 
the bit-level model leads to Boolean Grobner bases. In addition to the theoreti- 
cal foundations of both approaches, the algorithms have been implemented. Using 
these implementations we show that special data structures and the exploitation of 
symmetries make Grobner bases competitive to state-of-the-art tools from formal 
verification but having the advantage of being systematic and more flexible. 
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Introduction 



It has become common knowledge in many parts of mathematics and in some 
neighbouring fields that Grobner bases are a universal tool for any kind of 
problem which can be modelled by polynomial equations. However, quite often 
the models involve too many unknowns and equations making it unfeasible to 
carry out the corresponding Grobner basis computation. 

This is, for example, the case for most real-world problems from discrete op- 
timisation or from formal verification of digital systems, two areas of eminent 
practical importance. Because of their importance the community working in 
these fields is much bigger than the Grobner basis community and, moreover, 
there exist highly specialised commercial tools making it unrealistic to believe 
that Grobner bases can be of comparable practical efficiency in these areas. 

One of the purposes of this paper is to show that, in many cases Grobner bases 
can be used to find solutions for formal verification problems. In this way, this 
forms a good complement to existing techniques, like simulators and SAT- 
solver, which are suited for identification of counter examples (falsification). 

A significant advantage is, that Grobner bases provide a mathematically prov- 
en systematic and very fiexible tool while many engineering solutions inside 
commercial verification tools rely on ad hoc heuristics for special cases. How- 
ever, the success of Grobner basis methods, reported in this paper, could not 
be achieved with existing generic Grobner basis algorithms and implementa- 
tions. On the contrary, it relies on the theory of Grobner bases in Boolean 
rings and improvements of algorithms for this case, both being developed by 
the authors and described here for the first time. 

The Boolean Grobner basis formulation of a verification problem comes from 
a modeUing on the bit-level. We describe here also another approach based on 
a modelling on the word-level, leading to Grobner basis computations in the 
polynomial ring over the ring of integers modulo 2" where n is the word 
length, that is, the number of bits used by each signal. This approach has 
the advantage that it leads to a more compact formulation with less variables 
and equations. On the other hand, it has the disadvantage that is not 
a field for n > 1, but a ring with zero divisors. Moreover, wc show that an 
arbitrary verification problem cannot, in general, be modelled by a system of 
polynomial equations over the ring and, furthermore, we can in general 
only prove non-satisfiability but not satisfiability. Nevertheless, a combination 
of the word-level with the bit-level model could overcome these difficulties by 
preserving some of the advantages of the word-level approach. However, this 
is not yet fully explored and hence not presented in this paper. 

The paper is organized as follows. In section 1 we describe the formal verifica- 
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tion of digital circuits and its algebraic modelling via word-lcvcl and bit-level 
encoding. We do also discuss the advantages and disadvantages of both ap- 
proaches. 

The second section presents foundational results about standard bases in poly- 
nomial rings over arbitrary rings, allowing monomial orderings which are not 
well orderings. New normal form algorithms and criteria for s-polynomials are 
presented in the case of weakly factorial principal ideal rings. This includes 
the case Z„ which is of interest in the application to formal verification. 

In section 3 the theory of Boolean Grobner bases is developed in the framework 
of Boolean functions. Mathematically the ring of Boolean functions Z2 
is isomorphic to Z2[a;i, . . . , x„]/(FP) where FP is the set of field polynomi- 
als -|- Xj, for i = 1, . . . ,n. Boolean Grobner bases are Grobner bases of 
ideals in Z2[x] containing FP, modulo the ideal (FP). The usual data struc- 
ture for polynomials in Z2[x] is, however, not adequate. 

We propose to encode Boolean polynomials as zero-suppressed binary deci- 
sion diagrams (ZDDs) and describe the necessary algorithms for polynomial 
arithmetic which takes advantage of the ZDD data structures. Besides the 
polynomial arithmetic the whole environment for Grobner basis computations 
has to be developed. In particular, we describe efficient comparison algorithms 
for the most important monomial orderings. A central observation, which is re- 
sponsible for the success of our approach (besides the efficient handling of the 
new data structures), is the appearance of symmetries in systems of Boolean 
polynomials coming from formal verification. The notion of a symmetric mono- 
mial ordering is introduced and an algorithm making use of the symmetry is 
presented. 

The presented algorithms have all been implemented, either in Singular or 
in the PolyBoRi- framework. 

In the last chapter we present some implementation details and explicit tim- 
ings, comparing the new algorithms with state-of-the-art implementations of 
either Grobner basis algorithms or SAT-solvers. Moreover, we discuss open 
problems, in particular for polynomial systems over Z2n. 
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1 Algebraic models for formal verification 

1.1 Formal verification 

The presented research was spurred by a joint project on formal verification 
with the electrical engineering department at the University of Kaiserslautern. 
An important goal pursued in modern circuit design flows is to avoid the 
introduction of bugs into the circuit design in every stage of the process. 
We do not go into detail here, but just mention, that formal verification of 
hard- and software is a huge field of research with an overwhelming amount 
of literature. We refer to [1-3] for more details and references. 

Property checking is a technique for functional verification of the initial regis- 
ter transfer level (RTL) description of a circuit design. The initial specification 
of the design that is often given as a more or less informal human readable doc- 
ument is formalized by a set of properties. A systematic methodology ensures 
that the complete intended behavior of the circuit is covered by the resulting 
property suite. However, each property describes the required circuit behavior 
in a well defined scenario. This allows for an early evaluation for parts of the 
design as soon as they are completed. 

Classical methods for design validation include the simulation of the system 
with respect to suitable input stimuli, as well as, tests based on emulations, 
which may use simplified prototypes. The latter may be constructed using 
field programmable gate arrays (FPGAs). Due to a large number of possible 
settings, these approaches can never cover the overall behaviour of a proposed 
implementation. In the worst defective system is manufactured and 

delivered, which might result in a major product recall and liability issues. 
Therefore simulation methods are more and more replaced by formal methods 
which are based on exact logical and mathematical algorithms for automated 
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Fig. 1. Digital system design flow 
proving of circuit properties. 



1.2 Design flow 



The circuit design starts with an informal specification of a microchip (Fig- 
ure 1) by some tender documents which are usually given in a human readable 
text or presentation format. In a first step the specification may be translated 
in a highlevel modelling language. One possibility is to use high level synthesis 
for generating a register transfer level (RTL) design which describes the flow of 
signals between registers in terms of a hardware description language [4]. But 
this is rarely used in practise as it does constrain the freedom of the design. 
Instead, designers manually create the RTL design in a hardware desription 
language . Concurrently, intended behavior specified by the informal specifi- 
cation is formalized by formal properties. Automatic tools are used to ensure 
that the RTL design fulfills these conditions. 

After passing property checking a netlist is generated semi-automatically from 
the RTL. The latter is used to derive the actual layout of the chip mask. The 
validation that different circuit descriptions arising from the last two steps 
emit the same behaviour, is called equivalence checking. Since this can be 
handled accurately, setting of the RTL design is the most crucial part. Errors 
at this level may become very expensive, as they may lead to unusable chip 
masks or even defective prototypes. The present paper is concerned with this 
critical level. 

The ability of checking the validity of a proposed design restricts the design 
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itself: a newly introduced design approach may not be used for an implemen- 
tation as long as its verification cannot be ensured. In particular, this applies 
to digital systems consisting of combined logic and arithmetic blocks, which 
may not be treated with specialised approaches. Here, dedicated methods from 
computer algebra may lead to more generic procedures, which help to fill the 
design gap. 

1.3 Problem formulation and encoding in algebra 

The verification problem is defined by a set of axioms M representing the 
circuit w. r.t. given decision variables. In addition, a set of statements P rep- 
resents the property to be checked. For instance, if M models a multiphcation 
unit, a suitable P would be the condition that after a complete cycle the 
output of M is the product of its inputs. 

The question, whether the circuit represented by M fulfills P can be reformu- 
lated in the following way: First of all, we may assume, that M is consistent, 
i.e. there are no contradictions inherent in the axioms, since the axioms de- 
scribe a circuit. Then the new set of axioms M A -iP is contradictable if and 
only if M implies P. Hence the desired property P will be proven by showing, 
that M A -iP has no vahd instance, i. e. one fulfilling the axioms and not the 
property. 

In the following we encode this logical system into a system of algebraic equa- 
tions in two ways, on word-level and on bit-level. The word-level model will 
lead to consider Grobner bases over the ring 1^2^ while the bit-level will lead 
to Grobner basis over Boolean rings. Here and in the following denotes 
the finte ring Z/mZ for m e Z\{0}. 

1.3.1 Word-level encoding 

We illustrate, how the problem of formal verification can be encoded in a 
system of algebraic equations using polynomials over the ring 2,2^. Let n be 
the word length of the circuit, i. e. the number of bits used by each signal 
(in typical apphcations we have n e {16,32,64}). Then the RTL description 
displayed in Figure 2(a) is equivalent to the following set of algebraic equations 

M = {6 c = a • d = e} (1) 

where b + c — d,a-d — e are polynomials in Z2n[a, b, c, d, e, /]. Of course, the two 
equations in M are equivalent to a - (b + c) = e, but in general the latter input- 
output form is infeasible due to its complexity. Also, there can be more than 
one output per block and only some of these outputs may be used further. 
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Fig. 2. RTL design and property 
For example, Figure 2(b) presents the property 

P = {b = 0,a-c = f}. (2) 

In this case, the statement that M imphes P is equivalent to the assertion that 
MUPU{f 7^ e} has no solution. Since the set {/ ^ e} is not a closed algebraic 
set, we replace / 7^ e by s ■ (/ — e) = 2"'^^, where s is a new variable. Indeed, 
it is easy to see that a value s G 1^2" fulfills this equation if and only if / 7^ e 
(since the ring has zero-divisors, / 7^ e cannot be encoded by s(/ — e) = 
1). Let / be the ideal {{b + c — d, a ■ d — e, b,a-c — f, s ■ {f — e) — 2""^}) 
in [a, b, c,d,e, f, s]. Then the question reduces to the question whether 

V(/) := {(a, b, c, d, e, /, s) G "Zln \ p{a, b, c, d, e, /, s) = 0, for all p E 1} 



is empty. There are no solutions for the ideal I (i. e. V(/) 
M A -iP is contradictable, that is, P is satisfied by M. 



0) if and only if 



One way of tackling this problem is to compute a Grobner basis of I in the 
ring R/Iq, where Jq denotes the ideal of vanishing polynomials in R, i. e. poly- 
nomials evaluating to zero at any point of Zgn . Due to the zerodivisors in this 
ring the ideal Jq has more structure than in the finite field case and even its 
Grobner basis can become huge (cf. [5]). 



1.3.2 Bit-level encoding 

An alternative approach is to encode the problem at the bit-level, that is, as 
polynomials over Z2. This approach is based on the fact that every value of x 
in can be encoded uniquely to the base 2, i. e. in its bits: 

X = Xo + Xi2 + --- + Xn-iT-^, Xi G {0, 1} . (3) 

In the example above we can express each variable a, 6, c, d, e, / analogously 
to equation (3) with new variables Oj, 6j, Cj, dj, Cj, fi G {0, 1}, -i = 0, . . . , — 1. 
Then equation (1) and equation (2) must be rewritten, which yields n equa- 
tions for each of them. Gathering all corresponding polynomials and adding 
the polynomial H (1 ~ /« + Cj), which is equivalent to / 7^ e, we obtain an 
ideal / over R := Z2[ao, . . . , fn-i] in 6 n variables. 
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For instance, the bits po, ■ ■ ■ ,Pn-i G {0, 1} of the product p = a ■ b are given 
by equations pj = aj ■ + Y^iZo{0"i ■ + over Z2, where the tk^i mark 

rather comphcatcd bit-level expressions in the s^^i G {0, 1}, which fulfill pk + 

Sfe,i2 H h Sfc,„_i2"-^ = afc • 60 + Eit'o («i • bk-i + in Zgn. For example, 

for n = 4, we get 

Ps = 03 foo + Q2 ^'l + 01^2+ OO ^'3 + ^2 Ol Oo ^'l ^'O + 

a2 oi fci 60 + 02 oo 62 &o + oi ao 62 &i &o + cti ao 62 &i + oi 61 60 
P2 = 02 &o + oi ^'i + 00^*2 + CLi ao bi bo 
pi = Oi 60 + Oo &i 
Po = oo ^'0 

Again let /q be the ideal of vanishing polynomials in R. In this case, the 
ideal Iq is generated by the field equations x"^ — x = for every variable x. 
Now we compute a Grobner basis of / in the ring R/Io- In this ring every ideal 
is principal (cf. Theorem 60) and hence its reduced Grobner basis will consist 
of just one polynomial. Moreover, I — (1) if and only if its reduced Grobner 
basis is {1} and this is equivalent to the zero set of all polynomials in I being 
empty, and therefore if and only if the property P holds. 

1.3.3 Modelling advantages and disadvantages 

Both modelling approaches presented in section 1.3.1 and section 1.3.2 have 
strengths and weakenesses. On the one hand, the word-level formulation of 
verification problems as polynomial systems over Z2n leads to fewer variables 
and equations. The equations of arithmetic blocks, like multiplier and adder 
blocks, are given in a natural and human readable way. However, not all 
formulae on word-level (for example bitwise and, or, and exclusive-or) may 
be coded by polynomial equations. Therefore, full strength will need bit-level 
encoding of some variables. Another drawback are the coefficients from Z2n, 
which is a ring with zero-divisors and not a field. Hence, one cannot rely on 
valueable properties of fields, like the algebraic closure. 

Since Z2 is a field, these restrictions do not exists for polynomials over Z2, 
which can be used for formulation of arbitrary bit-level equations. Moreover, 
since the coefficients are restricted to be one or zero, they need not to be 
stored at all. Hence, a specialised data structure is possible, which is tailored 
to suit this application task. On the other hand, contrary to the word-level 
case, bit-level formulations carry many variables and equations. The number 
of them may grow exponentially even for some applications which can be 
handled easily over Z2n. 

As a result from these considerations, research was done for both approaches. 
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In the following, we present the different strategies and solutions for both, the 
word-level and bit-level approach, in the appropriate algebraic setting. 



2 Standaird bases over rings 

2.1 Basic definitions 

In this paragraph we outline the general theory of standard bases for ideals 
or modules over a polynomial ring C[a;i, . . . ,a;„] where C is any commuta- 
tive Noetherian ring with 1. We do not require that the monomial ordering 
is a well-ordering, that is we treat the case of standard bases in the localiza- 
tion of C[xi, . . . , x„] as well (for a full treatment cf. [6]). Grobner bases over 
C[a;i, . . . , Xn] (i.e. the case of well-orderings) have been treated previously 
(cf. [7, 8]) but never for non well-orderings. Since we are mainly interested in 
the case C = l^^^ we allow C to have zero-divisors. Moreover, since we are in- 
terested in practical application to real world formal verification problems, we 
have to develop the theory for C — "Lrn with special care. The ring allows 
special algorithms which dramatically improves the performance of Grobner 
bases computations against generic implementations for general rings. 

We recall some algebraic basics, including classical notions for the treatment of 
polynomial systems, as well as basic definitions and results from computational 
algebra. For an exhaustive textbook about the subject, when the ground ring 
C is a field, we refer to [9] and the references therein. 

Let C[x] = C\x\^ . . . , Xr\ be the polynomial ring over C, equipped with an arbi- 
trary monomial ordering <, i.e. global (well-ordering), local or mixed (cf. [9]). 
Further C[x]< denotes the locahzation of C[x] by the multiphcatively closed 

set 



where C* is the group of units of C and LM respectively LC denote the leading 
monomial respectively the leading coefficient w.r.t. <, as defined in [9]. Then 



Also, consider a partition of the ring variables {x, y} = {xi, . . . , a;„, . . . , ym\. 
A monomial ordering over C[x, y] is called an elimination ordering for x, if 
Xi > t for each i and for every monomial t in C[y]. 



5< = {/ e C[x]\{0} I LM (/) = 1 A LC (/) e C*}, 



R := C[x] 



< — 
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Definition 1. Let I G R = C[x]< be an ideal and / an element in R. Choose 
u E such that LC (u) = 1 and m ■ / is a polynomial ao ■ x"'' + ■ ■ ■ + a„ ■ x"" G 
C[x] with ao 7^ and a;"° > a;"' for alii 7^ with a^ 7^ (which is always 
possible). Then we define 



LT(/) 


= ao • x°° 




leadiner term of f 


LM if) 


= x"° 




leading monomial of / 


LC(/) 


= ao 




leading coefficient of / 


LE(/) 


= «o 




leading exponent of / 


L(J) 


= (LT(/) |/G/)^[,] 




leading ideal of / 


LM(/) 


= (LM(/) 1 / G/)^[,] 




leading monomials ideal of / 


V(/) 


= {x 1 V/ G / : /(x) = 


0} 


common zeroes or variety of / 


m 


= {/ 1 Vx G : /(x) = 


= 0} 


vanishing ideal of V" C 


supp(/) 


= {x"^ 1 a, 7^ 0} 




support of / 


tail(/) 


= /-LT(/) 




tail of / 



If the monomial order < is global then m = 1. If < is not global the leading 
coefficients and the leading terms are well defined, independent of the choice 
of u. 

Definition 2. Let I <Z R — C'[x]< be an ideal. A finite set G d R is called a 
standard basis of / if 

G C / and L (/) = L {G) . 

That is, G is a standard basis, if the leading terms of G generate the leading 
ideal of /. G is called a strong standard basis if, for any / G /\{0}, there exists 
a g E G satisfying LT (g) \ LT (/). If < is global we will call standard bases 
also Grobner bases. A finite set G G R is called standard resp. Grobner basis, 
if G is a standard resp. Grobner basis of (G)^, the ideal generated by G. 

Remark 3. If G is a field, than L (J) = LM(/), but due to non-invertible 
coefficients, in general only L (/) C LM (/) holds. 

Next, the notion of ^-representations is introduced, as formulated in [10]. While 
this notion is mostly equivalent to using syzygies, it helps to understand the 
correctness of the algorithms. 

Definition 4 (t-representation) . Let t be a monomial and consider elements 

f:9l,---,9m,hi,...,hmG G[x]< = R 

with / = X^i^i hi ■ gi. Then the sum is called a t-representation of / with 
respect to gi, gm H 

LM{hi • gi) <t for all i with hi • gi . 
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Example 5. Let the monomials of C[x^ y] be lexicographically ordered (x > y) 
and gi — x^, g2 — — y, f — y. Then / — x^gi — g2 is a. x^y^- representation 
of/. 

Notation 6. Given a representation p = K • fi with respect to fi, . . . fm, 

we may shortly say that p has a nontrivial t -representation, if a ^-representation 
of p exists with 

t < max{LM{hi ■ fi)\h, ■ 0}. 

Note that there exists no t- representations with t < LM(p). Further, we say 
that an arbitrary g has a standard representation with respect to {fi}, if it 
has a LM (g')-representation. 

2.2 Normal forms 

Definition 7. Let Q be the set of all finite subsets G oi R — C[x\^. A map 

: R X g ^ R,{f,G) ^ NF {f \ G) 

(i) is called a normal form on R if, for all G & Q, 

(0) NF(0| G) = 0, 

and, for all / e i? and G E Q, 

(1) NF(/| G) ^O^LT(NF(/| G)) ^ L (G) and 

(2) r := f — NF (f \ G) has a standard representation with respect to G. 

(ii) is called a weak normal form, if instead of r we just require that the 
polynomial r' = uf — NF ( / | G) for a unit u E R* has a standard repre- 
sentation with respect to G. 

(iii) is called polynomial weak normal form if it is a weak normal form and 
whenever / G (^[x] and G C G[x], there exists a unit u G R* (1 C[x], 
such that uf — NF ( / | G) has a standard representation ajg^j w.r.t. 
G = {gi, ...^gn} with e G[x]. 

Remark 8. Polynomial weak normal forms exists for arbitrary Noetherian 
rings and are computable if linear equations over G are solvable (Theorem 11). 

Definition 9. We call a normal form NF(- | •) reduced, if for all / e 
and G e g the leading terms of elements from G do not divide any term 
of NF (/I G). Further we call G a reduced Grobner basis, if no term from tail(g') 
for any e G is divisible by a leading term of an element of G. 

Now we introduce an algorithm for computing a polynomial weak normal 
form for any monomial ordering, given we are able to solve an arbitrary linear 
equation in the coefficient ring G. To ensure correctness and termination we 
need to introduce the concept of the ecart of a polynomial. 
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Definition 10. Let / e -R\{0} be a polynomial. Then the ecart is defined by 

ecart / = deg / — deg LM (/) . 

We introduce a monomial order <h on C[i, x] where t is a new variable via 

i^'x" <h t^x^ P + |«| < g + l/^l or 

{p+\a\ = q + \(3\ and x° < x^) . 



This is a well-ordering as there are only finitely many monomials with a given 

total degree. 

Algorithm 1 Calculating a normal form over coefficient rings 
Input: / G i? a polynomial, G G R finite, > a monomial ordering 
Output: A normal form of / 
T := G 

while / ^ and LT (/) e L (T) do 

with x^'LM(oi) = LM(/), 
solve LT(/) = Eqx«^LT(^,) ^^'^ ^-"^ 

'-^ Qi&T and max{ecart (^j} minimal 

if max{ecart gi} > then 

r:=ru{/} 

f f - J2Ci X^'Qi 
i=l 

return / 

Theorem 11. The Algorithm 1 terminates and computes a norm form, if we 
can solve linear equation in the coefficient ring C . 

Remcirk 12. In many cases it is not necessary to solve linear equations during 
the normal form computation. These include coefficient fields (the classical 
case), weak 1-factorial rings or principal ideal domains. The latter case was 
already treated in [7]. Further cases can also be computed without solving 
linear equations if we require G to be a strong Grobner basis. 



2.2.1 Weak factorial rings 

In rings with zero-divisors we have in general no decomposition into irreducible 
elements. For example in Z12 we have 6 = 3- 6 = 3- 3- 6 = Therefore the 

concept of factoriality does not make sense. But there exists a notion of weak 

factorial rings where every element can be written as a = n-a^^ o^k > 

(n not necessarily a unit), such that a\b = m ■ a'l a^* iff < Sj. This 

will be formalized below. 
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Let C be a commutative Noetherian ring with 1 and C* the group of units. 
Denote further by N (C) = {a E C \ 3b : a-b — 0}, the zero-divisors and 
by NE (C) = C\C* the non-units in C. 

Definition 13. An element factorization {iy,P) or just u for a ring C consists 
of a subset P C NE (C) and a map u = {i'p)pep '■ C N^, Vp : C ^ N, such 
that for all a e C there exists an element n E C with 

and Vpia) ^ only for finitely many p & P. 

A ring C with an element factorization i/ is called P-weak factorial or just 
wea/i; factorial if, for all a,b E C 

a I 6 <(=^ i/(a) < 

That is, divisibility in C is given by the natural order relation of N"^. If we 
want to emphasise the number of elements in P (elements in P are also called 
"primes"), we say weak |P|-factorial ring where \P\ is the cardinality of P. 

Example 14. (1) If C is a factorial domain and P the set of irreducible 
elements then C is P-weak factorial. 

(2) The ring of integers modulo a power of a prime number p is a weak 
1-factorial ring with P = {p}. 

(3) The ring is weak factorial with P = {p e P | p | m}, where P denotes 
the set of prime numbers. 

(4) The ring Z is a weak oo-factorial ring with P = P and v — the map 
which associate to a e Z the exponents of the prime decomposition of a. 

(5) The ring K[[x]], K a field, is weak factorial with P = {x). 

Remcirk 15. For the case of Z^ with m = p^^ • • - p^", we define v as 

Vp.{a) := Vi{a) = min{i/J.(a), e^} 

where a e Z represents a G Z^. E.g. in Z12 we have 12 = 2^ • 3-*^ and therefore 
1/3(9) = 1 and 9 = 3-3 = n • 3^. Further in this case v has the following 
properties: 

Proposition 16. Let v be defined for Z^ as in Remark 15. Then we have 

(1) V is well-defined, that is v{a) — v{a + k ■ m) for all a,k,mE Z. 

(2) 1/ is saturated multiplicative, that is z/j(a • b) — min{i/j(a) • 1^1(6), Cj}, 

(3) z/i(a + 6) = if z/j(a) > and 1/^(6) = 0, 

(4) z/(a) = a G Z^* and 

(5) v is nice weak factorial, that is, Va G Z^ 3u G Z^* : a — u- 
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PROOF. The first four properties follow easily from the vahiation properties 
of Z with . For the last one let a = n ■ p'^*^-^ At first notice, that v^^in) > 
is only possible, if t'pj(a) = e^. Hence consider 



m -r-r 
^ = 11 

^ ei>0 
Pi\n 



Now u{u) — and therefore u e Z^*. Further • p^(^) — a. 

Remcirk 17. One can show that in our definition the elements of P are ir- 
reducible and that C is a weak unique factorization ring (UFR) in the sense 
of Agargiin [11] and therefore a generalisation of the notions from Bouvier- 
Galovich [12, 13] and Fletcher [14] (cf. [11]). Nevertheless we prefer our defi- 
nition, as it emphasis the divisibility relation. 

Remcirk 18. If C is a principal ideal ring, then it is isomorphic to a finite 

product [15] of principal ideal domains, hence factorial domains, and finite- 
chain rings (cf. [15]), which are weak 1-factorial. Therefore we can compute 
Grobner basis in polynomials rings over the factors and lift them to C[x]. This 
is described in the work of G. Norton and A. Salagean [16]. Below we show 
that computation in the ring itself is feasible. 

Definition 19. Let C be a weak factorial ring and ai, . . . , a„ e C. Then we 
define (with max, min component- wise) 

gcd (ai, ...,an) = p-"i{-(«i)'-.-(«n)} 
1cm (ai, . . . , a„) = p-^{Kai),-,Ka.)}_ 

Remcirk 20. This definition of gcd and 1cm fulfills the universal properties of 
the greatest common divisor and the least common multiple. But notice that, 
for arbitrary rings, the gcd and 1cm are not unique up to units. However, in 
the case of this holds: 

a\b A b\a ^ 3u & 'Zrn* '■ a — u ■ b. 

Lemma 21. Let C be a weak factorial principal ring. Then 

(ai,...,a„) = (gcd(ai,...,a„)) , 
(ai) n • • • n {an) = (1cm (ai, . . . , an)) . 



PROOF. Follows directly from the definition of weak factorial and gcd, re- 
spectively 1cm, and their universal properties. 

Lemma 22. Let C be a weak 1-factorial principal ring with prime rj and 
let c,ai, . . . ,as G C\{0}. Then the following are equivalent. 
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• The equation c = aiXi + • • ■ + a^Xs is solvable. 

• There exists an j e {1, . . . , s} and x & C , such that c — ajX, i. e. aj\c. 

PROOF. The first statement is equivalent to 

c G (ai, . . . ,a„) 
<S=>gcd(ai,...,a„) I c 
<^^min{i/(ai), . . . ,i^(an)} < t^(c) 
<^3ai : i^(ai) < v{c), as Im (i/) C N 

which is equivalent to the second statement. 

Corollary 23. Let C be a weak 1- factorial principal ring. Then, solving lin- 
ear equations over C can be reduced to tests for divisibility. Moreover, every 
standard basis over C[x]< is a strong standard basis. 

2.3 Computing standard bases 

Let C be a commutative Noetherian ring with 1. 

Definition 24. Let i? be a ring and A G R^^^ a matrix considered as a linear 
map — > i?*. The kernel of A is a submodule of R^. It is called the syzygy 
module of A. li A = (/i, /s, . . . , /,) G R'''\ then 

Syz (/i, ...,/,)= ker(^) = {{h, . . . , /i,) G i?^ | ^ hj^ = 0}. 

Theorem 25. (Buchberger's criterion) Let I C R — C[x]< be an ideal and 
G — {gi, .... Qs} C /. Further let NF { — \ G) be a weak normal form on R 
with respect to G. Then the following statements are equivalent: 

(1) G is a standard basis of I. 

(2) NF(/| G) = Ofor all f e I . 

(3) Each f E I has a standard representation with respect to G. 

(4) G generates I and for every element h with 

/iGSyz(LT(^,)|i = l,...,s), 
NF{hm + --- + hsgs\G) = 0. 

PROOF. The implications 1^2^3^4^1 can be shown as in the 
classic case. The classical proof can be found either in [9] (general orderings) 
or in [7] (global orderings). 
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To specialize further for the case of weak factorial principal rings we modify 
the classical notion of an s-polynomial. 



Definition 26. Let f,g E R\{0}. We define the s -polynomial of / and g to 
be 

. lcm(LT(/),LT(g)) _ 1cm (LT (/) , LT (y)) 

spolyU,^j.- ^^^^^ / ^^^^^ g. 

Remcirk 27. This definition is not equivalent to 
spoly^ (/, g) = 

lcm(LM(/),LM(g)) 1cm (LM (/) , LM (g)) 

LM(7) ^ " LM(^) 

For example let / = 2x — 2y,g — 2y — z in Z4[x,y,z\. Then we get 
spoly^ {f,g) = xz ^ —2y-\-zx — spoly (/, gi). That is, we can loose terms 
just by multiplying with a constant, e.g. if 2a; + y G / for some ideal /, 
then 2y G L (J). Therefore wc have to look for further generators of the syzy- 
gies, the classical s-polynomials are not sufficient. 

Definition 28. Let C be a principal ring and a G C. The annihilator of a, 
Ann(a) = {n G C | a ■ n = 0} is an ideal in C and is hence generated by one 
element, which we denote by NT (a). 



Due to zero-divisors we define the s-polynomial also for pairs (/, g) with one 
component being 0. 

Definition 29. Let / G i?\{0}. We define the extended s-polynomial of / to 
be 

spoly (0, /) = spoly (/, 0) := NT (LC (/)) • /. 



2.3.1 Buchberger's criterion and the syzygy theorem 

In the following we assume C to be a weak factorial principal ring. Termination 
of Algorithm 2 is an easy consequence of the Noetherian property of the ring R. 
To present the theorem, which implies the correctness of Algorithm 2 we need 
to introduce some terminology. We fix a set of generators G = {/o, /i, . . . , /fc} 
of an ideal / with /q = 0. 

First assume that a set J C | < j < i < A;} is given with 

NF (spoly ifi, fj) \G) = for G J. 
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Algorithm 2 Computes a standard basis of / 



Input: 

I a finite set of polynomials, 
> a monomial ordering, NF a weak normal form 
Output: G is a standard basis of / 

P-={if,9) I f,9&SJ^g}U{{0J) IfeG}, the pair set 
while P ^ do 

choose (/, g) E P 

P:= P\{{f,g)} 

h:^ NF(spoly(/,^)| G) 



ii h^O then 

P:=PU{{hJ)\feG}U{{0,h)} 
G:^GU{h} 
return G 



For < i < J < A; let LT (/j) = Cjx" and define: 

_ 1cm (c,. Cj) 1(111 (x"' . x"') _ 1cm (LT (/,) . LT {f^)) 

moi = NT (ci) 
spoly ifi, fj) = rrijifi - rriijfj 
spoly {fi, /o) = moifi as /o = (set also mjo = 0) 

k 

spoly (fi, fj) = ^ CL^i^^^fu the standard representation for e J 

k 

Sij = mj-jCj - rriijej - ^ a^^^^e^ e Syz (7) for (i, j) e J 

i/=i 



The elements moi and Sjo correspond to the new s-polynomials, which occur 
due to zero divisors. 

Theorem 30 (Buchberger's criterion). Let G — {/o, /i, ■ ■ ■ , /fc} be a set of 

generators of I <Z R with /o = 0. Further let J G \ < i < j < k} be 

such that {rriijej \ {i, j) & J) = {rriijej \ 0<j<i<k).lf 

NF (spoly (/„ /,) I G,,) = for G J 

and some Gij C G then 

(a) G is a standard basis of I (Buchberger's criterion) and 

(b) S :— {sij I e J} generates Syz (7). 



For a proof we refer to [6] . 



17 



Remcirk 31. The set is a standard basis of Syz (J) with respect to the 
Schreyer ordering (definition of the Schreyer ordering cf . [9] ) . 

Corollary 32. Algorithm 2 terminates and is correct. 

Remark 33. If / and / are polynomial and if NF is a polynomial weak 
normal form in Algorithm 2 than G is a standard basis of (/)^ consisting of 
polynomials. 

Also, the ^-representations of Definition 4 can be utilised for a standard basis 
test as given below. 

Theorem 34. Let F = (0, /i, . . . , /fc), fi E C[x], be a polynomial system. 
If spoly(/, gf) has a nontrivial t-representation w. r. t. F for each f,g e F, 
then F is a Grobner basis. 

PROOF. The theorem can be proved similar as in [10]. A more sophisticated 
version of this theorem can be formulated and proven likewise to [9, p. 142]. 

2.3.2 Criteria for s -polynomials 

In order to compute non-trivial standard bases in practise, we like to have 
criteria to omit unnecessary critical pairs. This improves the time and space 
requirement of the Buchberger algorithm as in the classical case. 

Lemma 35 (Product criterion). Let f,g E R — C[x]< with LM (/) and 
LM (g) relatively prime. Further let LC (/) and LC (g) be a unit, then 

NF(spoly(/,5)| {f,g})=0. 

PROOF. No change of the classical proof is needed. However, the strong 
product criterion, which gives an if and only if statement, is not extendable 
to the general case. 

Example 36. The polynomials Ax + y and y"^ + 2z E 1>^[x, y, f] will reduce to 
zero by a sharper product criterion (not given here). In contrast 4y + + 1 
and x^ + 2x'^ will reduce to 2,t^, which is not reducible by either of the 
polynomials nor their extended s-polynomials. 

Lemma 37 (Chain criterion). With the notations of Theorem 30 let LT (/j) = 
Cix"% LT(/j) = Cjx"^ , and LT (fi) = cix"''^ with i > j > I. If CjX.'^^ divides 
1cm (cj x"% Q x"' ) then muBi E {rrijiei). In particular, if Sij,Sji E S then 
S\{sii} is already a standard basis of Syz (I) and S\{sii} generates Syz (7). 
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PROOF. The divisibility of 1cm (q x"% q x"^') by Cj implies 

1cm {ci x"' , Cj x"^ ) I 1cm (q x"* , ci x"' ) . 
Dividing both sides by qx"* yields rriji \ mu. 

The following criterion is new and quite useful in practise. 

Lemma 38. With the notations of Theorem 30 let LT (/,) = q x"' and 
LT {fi) — ci x"' with i > I. If NT (q) divides 1cm (cj, q) ^/len ej e (moi e^) . 
/n particular, if the special Sio G 5" (corresponding to an s-polynomial with one 
zero entry) then S\{sii) is already a standard basis o/Syz (/). 



PROOF. Follows from mo, = NT {a). 



3 Boolean Grobner Basis 

In the following, we present methods for treating the bit-level formulation 
of digital systems as introduced in section 1.3.2. First, the notion of Boolean 
polynomials is given, and a suitable data structure is motivated. The next part 
is addressed to effective algorithms for operations on these polynomials. Then 
recent results in the theory of Boolean Grobner bases are presented, including 
new criteria, which minimise the number of critical pairs. Finally, we sketch 
a new approach, which improves the algorithms by exploiting symmetries in 
the polynomial system. 

3.1 Boolean Polynomials 

In this section we model expressions from propositional logic as polynomial 
equations over the finite field with two elements. In this algebraic language 
the problem of satisfiability can be approached by a tailored Grobner basis 
computation. We start with the polynomial ring Z2[x] = Z2[xi, . . . , 

Since the considered polynomial functions take only values from Z2, the con- 
dition X — holds for all a; G Z2. Hence, it is reasonable to simplify a 
polynomial in Z2[x] w. r. t. the field equations 

Xi — Xi, X2 — X2, ... J — -^n ■ \^) 
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Let FP = {xl + xi, . . . , + x„} denote the corresponding set of field polyno- 
mials. The field equations yield a degree bound of one on all variables occurring 
in a polynomial in Z2[x] modulo FP. 

Definition 39 (Boolean Polynomials). Let p e Z2[x] be a polynomial, s. th. 

p = ai- • . . . • x"^^" + ... + am- x^""^ ■ x'^"'" (5) 

with coefficients Oj e {0, 1}. If < 1 for all then p is called a Boolean 
polynomial. 

The set of all Boolean polynomials in Z2[x] is denoted by B. 

Note that Boolean polynomials can be uniquely identified with a subset of the 
power set of {xi, . . . , Xn}: 

Lemma 40. Let R = Z2[x], and P = V{xi, . . . ,Xn) be the power set of 
the set of variables of R. Then the power set V{P) of P is in one-to-one 
correspondence with the set of Boolean polynomials in R via the mapping 
/ : V(P) ^ R defined hy S ^ Eses {U.^es x.). 

PROOF. It is obvious, that Y^ses (Wx^^es ^u) G IB for each subset S of P. On 
the other hand, with the notation of equation (5), a Boolean polynomial p is 
uniquely determined by the fact, whether a term • . . . • x'^" occurs in it, 
because its coefficents lie in {0, 1}. Moreover, each term is determined by the 
occurrences of its variables. Hence, one can assign the set Sp — {si, ■ ■ • , Sm} 
to p G B, where Sk Q {xi, . . . , x„} is the set of variables occurring in the k-th 
term of p. 

For practical applications it is reasonable to assume sparsity, i.e. the set S is 
only a small subset of the power set over the variables. Even the elements of S 
can be considered to be sparse, as usually only few variables occur in each 
term. Consequently, the strategies of the proposed algorithms try to preserve 
this kind of sparseness. 

The following statements are not difficult to prove, but essential for the whole 
theory. 

Theorem 41. The composition B ^ Z2[x] -» Z2[x]/(FP) is a bijection. That 

is, the Boolean polynomials are a canonical system of representatives of the 
residue classes in the quotient ring ci/Z2[x] modulo the ideal of the field poly- 
nomials (FP). Moreover, this bijection provides B with the structure of a Z2- 
algebra. 
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PROOF. The map is certainly injective. Since any polynomial can be reduced 
to a Boolean polynomial using FP, the map is also surjective. 

Definition 42. A function / : ^ Z2 is called a Boolean function. 

Proposition 43. Polynomials in the same residue class modulo (FP) generate 
the same function. 

PROOF. Let p, q be polynomials with p — g e (FP). By Theorem 41 we have 

P = b + fp,q = b + fq, 

where the first summand 6 is a common Boolean polynomial and the second 
summand lies in (FP). The latter evaluates to zero at each point in Zg. 

Theorem 44. The map from B to the set of Boolean functions {/ : Z2 — >■ Z2} 
by mapping a polynomial to its polynomial function is an isomorphism 0/Z2- 
vector- spaces. Even more, it is an isomorphism of 7^2- algebras. 

PROOF. The map is clearly a Z2-algebra homomorphism. Injectivity follows 
from Theorem 41 together with Proposition 43. For surjectivity it suffices to 
see, that both sides have dimension 2". 

Corollary 45. Every Boolean polynomial p 7^ 1 has a zero over Z2. Every 
Boolean polynomial p 7^ has a one over Z2, that is p + 1 has a zero. 

Recalling Definition 1, for / C Z2[x] the algebraic set in Z2 defined by / is 
denoted by V(/) = {x e Z^ | V/ G / : /(x) = 0}. 

Corollary 46. There is a natural onc-to-onc correspondence between Boolean 
polynomials and algebraic subsets of Z2, given by p 1-^ V((p, FP)). Moreover, 
every subset of Z2 is algebraic. 

PROOF. Since Z2 is finite, every subset is algebraic. Let xs be the charac- 
teristic function of a subset S C Z2, that is X5(x) = 1 if and only if x G S*. 
By Theorem 44 there is a p G B defining 1 + xs- Hence, the map is surjective. 
Moreover, since both sets have the same cardinality, the results follows. 

After showing the correspondence between Boolean functions and Boolean 
polynomials we have a look at Boolean formulas, the kind of formulas defining 
Boolean functions. 
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Definition 47. We define a map from formulas in propositional logic to 
Boolean functions, by providing a translation from the basis system not (-1), 
or (V), true (True). For any formulas p, q we define the following rules 

(f){py q) ■= (j){p) ■ (j)(q) 

:= 1 - (6) 
(/)(True) := 

Recursively every formula in propositional logic can be translated into Boolean 
functions, as {V, -1, True} forms a basis system in propositional logic. 

Remark 48. (1) It is quite natural to identify and True in computer al- 
gebra, as we usually associate to a polynomial / the equation / = 0, and 
/ being zero is equivalent to the equation being fulfilled. 
(2) For every Boolean function / there exists a formula p in propositional 
logic, s. th. (I){p) = f. Together with Theorem 44 wc obtain that every 
formula give rise to a Boolean polynomial, generated by rules correspond- 
ing to those of equation (6). 

We are interested in a representation of Boolean polynomials, whose storage 
space scales well with the number of terms and still allows to carry out vital 
computations for Grobner basis computation in reasonable time. In the next 
section, a data structure with the desired properties is presented. Therefore, 
it can be used to store and handle the construction of Boolean polynomials 
proposed in Lemma 40. 



3.2 Zero-suppressed Binary Decision Diagrams 

Binary decision diagrams (BDDs) are widely used in formal verification and 
model checking for representing large sets. For instance, they arise from con- 
figurations of Boolean functions and states of automata which cannot be con- 
structed efficiently by an enumerative approach. One of the advantages of 
BDDs is the performance of basic operations like intersection and complement. 
Another major benefit are equality tests, which can be carried out immedi- 
ately, as BDDs allow a canonical form. For a more detailed treatment of the 
subject see [17] and [18]. 

Definition 49 (Binary Decision Diagram). A binary decision diagram (BDD) 
is a rooted, directed, and acyclic graph with two terminal nodes {0, 1} and 
decision nodes. The latter have two ascending edges (high/low or then/else), 
each of which corresponding to the assignment of true or false, respectively. 
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to a given Boolean variable. In case that the variable order is constant over 
all paths, we speak of an ordered BDD. 

This data structure is compact, but easy to describe and implement. Also, 
the subset of the power set represented by a BDD can be recovered easily, by 
following then- and else-edges. 

Definition 50. Let 6 be a binary decision diagram. 

• The decision variable associated to the root node of h is denoted by top(6). 
Furthermore, then(6) and else(6) indicate the (sub-)diagrams, linked to 
then- and else-edge, respectively, of the root node of h. 

• For two BDDs bi,bQ, which do not depend on the decision variable x, the 
if-then-else operator ite{x,bi,bQ) denotes the BDD c, which is obtained by 
introducing a new node associated to the variable x, s. th. then(c) = 61, 
and else(c) = 6o- 

A Boolean polynomial p can be converted to an ordered BDD using the fol- 
lowing approach. Having variables Xi, . . . ,Xn the polynomial p can be writ- 
ten as p — xi • pi + po, where pi and po are Boolean polynomials depending 

on X2, ■ ■ ■ ,Xn only. Therefore, if we have diagrams bi, bo representing pi and po, 
respectively, the whole diagram is generated by ite{xi, bi, bo). But 61, feo can be 
obtained by recursive application of the procedure with respect to x'2, . . . , Xn- 
The recursion ends up by a constant polynomial, which is to be connected to 
the corresponding terminal node. Figure 3(a) illustrates such a decision dia- 
gram for the polynomial a c+c = a - (6-(c-0 + 0) + (c-l + 0))+6- (c-0+0)+c-l + 0. 
From this example, one can already see, that it is useful to identify equivalent 




(a) initial diagram (b) subdiagrams merged (c) zero-supressed 



Fig. 3. Different kinds of binary decision diagrams representing the polyno- 
mial ac + c. Solid/dashed connections marking then/else-edges, respectively. 

subdiagrams in such a way that those edges which point to equal subgraphs 
are actually linked to the same subdiagram instances. The merging procedure 
is sketched in Figure 3(b). 
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For efficiency reasons, one may omit variables, which are not necessary to 
reconstruct the whole set. This leads to even more compact representations, 
which are faster to handle. A classic variant for this purpose is the reduced- 
ordered BDD (ROBDD, sometimes referred to as "i/ie BDD"). These are or- 
dered BDDs with equal subdiagrams merged. Furthermore, a node elimination 
is applied, if both descending edges point to the same node. While the last 
reduction rule is useful for describing numerous Boolean-valued vectors, it is 
gainless for treating sparse sets. For this case, another variant, namely the 
ZDD (sometimes also called ZBDD or ZOBDD), has been introduced. 

Definition 51 (ZDD). Let z be an ordered binary decision diagram with 
equal subdiagrams merged. If those nodes are eliminated whose then-edges 
point to the 0-terminal, then z is called a zero- suppressed binary decision 
diagram (ZDD). 

Note, in this case elimination means that a node n is removed from the diagram 
and all edges pointing to it are linked to else(n). In Figure 3(b) the then- 
edge of the right node with decision variable c is pointing to the 0-terminal. 
Hence, it can be safely removed, without losing information. As a consequence, 
the then-edge of the 6-node is now connected to zero, and hence can also be 
eliminated. The effect of the complete zero-suppressed node reduction can 
be seen in Figure 3(c). Note, that the construction guarantees canonicity of 
resulting diagrams, see [17]. 

The structure of the resulting ZDD highly depends on the order of the vari- 
ables, as Figure 4 illustrates. Hence, a suitable choice of the variable order 
is always a crucial point, when modelling a problem using sets of Boolean 
polynomials. 




(a) a, 6, c (b) a, c, h 



Fig. 4. ZDD representing the polynomial a c+hc+c for two different variable orders. 
Solid/dashed connections marking then/else-edges, respectively. 

Reinterpreting valid paths of a ZDD as terms of a polynomial, the latter can be 
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accessed in a lexicographical manner, by using the natural succession arising 
from the next definition. 



Definition 52. Let 6 be a ZDD. 

• Let ni,n2, ■ ■ ■ , n„i^i be a series of connected nodes starting at the root node 
of b with rim+i = 1- Then the sequence (ni, n2, ■ ■ ■ , rim) is called a path of b. 

• Let Xi > a;2 > . . . > a;„ be the fixed order of the decision variables. For 
two paths P — (ni, n2, . . . , Up) and Q — (ni, fi2, ■ ■ ■ , fiq), the natural path 
ordering < is given as: 

P < Q <^=^ there exists a j G {1, . . . , m + 1}, m = min(p, q) such that 



where x{n) denotes the decision variable of a node n. 
• The ordered sequence (Pi, P2, ■ ■ ■ , Ps) of all paths in 6, is called the natural 
path sequence of b. 

Note, that the natural path sequence (()) of the 1-terminal consists of the 
empty path only, while path sequence () of the 0-terminal is empty itself. 

One can easily iterate over all paths of a given ZDD. The first path starts at 
the root node and follows the then edges, until the 1-terminal is reached. For 
a given path P = {ui, . . . ,nm) the next path in the natural path sequence, 
the successor succ P of P, can be computed follows: let nt be the first element 
of P, with else(ni) = 0, for all i > t, and let the sequence (77,1, . . . fir) denote 
the first path in else(nt), then succP = {rii, . . . ,nt-i,n-i, . . .fir)- 

Although graph-based approaches using decision diagrams for polynomials 
were already proposed before, they were not capable of handling algebraic 
problems efficiently. This was mainly due to the fact that the attempts were 
applied to very general polynomials, which cannot be represented efficiently 
as binary decision diagrams. For instance, a proposal for utilizing ZDDs for 
polynomials with integer coefficients can be found in [19]. But Boolean poly- 
nomials can be mapped to ZDDs very naturally, since the polynomial variables 
are in one-to-one correspondence with the decision variables in the diagram. 
By abuse of notation, we may write in the following p for the ZDD of a Boolean 
polynomial p. 

Also, the importance of nontrivial monomial orderings prevented the use of 
ZDDs so far. In order to enable fast access to leading terms and efficient it- 
erations over all polynomial terms, these arc usually stored as sorted lists, 
with respect to a given monomial ordering [20]. In contrast, the natural path 
sequence in binary decision diagrams is given in a lexicographical way. For- 
tunately, it is possible to implement a search for the leading term and term 



x{ni) = x{fii) for 1 < i < J and < 



x{nj) < x{nj) if J < m 

p < q ifj = m-|-l. 
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iterators with moderate effort. Moreover, the results of basic operations hke 
polynomial arithmetic do not depend on the ordering. Hence, these can effi- 
ciently be done by using basic set operations. 



3.3 Boolean Polynomial Arithmetic 

Polynomial addition and multiplication are an essential prerequisite for the 
application of Grobner-based algorithms and related procedures. In the case 
of Boolean polynomials, these operations can be implemented as set oper- 
ations. As mentioned in section 3.1, Boolean polynomials p, g e B can be 
identified with sets Sp,Sq e V{V{xi, . . . ,Xn)), s.th. p = JZseSpiUx^es^u) 
and ? = Es65, (rix.es x^). 

Addition is then just given as p + q = J2seSp+g {Hx^es ^1^)^ where Sp-^g is com- 
puted as Sp^q = {SpU Sq)\{Spn Sg) . All three operations - union, complement, 
and intersection - are already available as basic ZDD operations. For practical 
applications it is appropriate to avoid large intermediate sets like Sp U Sg and 
repeated iterations over the arguments. Hence, it is more preferable to have a 
specialised addition procedure. Algorithm 3 below shows a recursive approach 
for such an addition. 



Algorithm 3 Recursive addition h — f + g 
Input: f,g eM 
if / = then 
g 

else if = then 

h = f 
else if f ~ g then 

h = 
else 

if isCached(-|-, /, g') then 

h = cache(+, /, g) 
else 

set x„ = top(/), = top{g) 
if u < ijl then 

h = ite(x^, then(/), else(/) + g) 
else if z/ > yti then 

h = ite{xi^, then(g), / + else{g)) 
else 

h — ite{x^, then(/) + then{g), else(/) -|- else(g')) 
cache(+, f,g)^h 
return h 
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Right after the initial if-statements, which handle trivial cases, the procedure 
also includes a cache lookup. The lookup can be implemented cheaply, because 
polynomials have a unique representation as ZDDs. Hence, previous computa- 
tions of the sums of the form f + g can be reused. The advantage of a recursive 
formulation is, that this also applies to those subpolynomials, which are gen- 
erated by then(/) and else(/). It is very likely, that common subexpressions 
can be reused during Grobner base computation, because of the recurring 
multiplication and addition operations, which are used in Buchberger-based 
algorithms for elimination of leading terms and the tail-reduction process. 

In a similar manner Boolean multiplication is given in Algorithm 4. Note 
that the procedure computes the unique representative of the Boolean prod- 
uct (modulo the field equations). This multiplication is denoted by ic in the 
following, while • means the usual multiplication. If variables of right- and 
left-hand side polynomials are distinct, both operations coincide. 

Algorithm 4 Recursive multiplication h = f-kg 
Input: f,g eM 
if / = 1 then 

h = g 

else if f = or g = then 
else if g — 1 or f — g then 
else 

if isGached{-k, f, g) then 

h — cache(*, /, g) 
else 

Xu = top(/), = tOp(g') 

if u < fi then 

set pi = then(/), po = else(/), qi = g, qQ = 
else if u > fj, then 

set pi = then(gr), po = else(g'), = /, go = 
else 

set pi = then(/), po = else(/), qi = then(5f), go = else(5r) 
h = ite(x„u„(^,^),po^gi -Fpi^gi + Pi*go,Po*?o) 
cache (^ir, f,g) = h 
return h 



3.4 Monomial Orderings 

While the operations treated in section 3.3 are independent of the actual 
monomial ordering, many operations used in Grobner algorithms require such 
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an ordering. Using ZDDs as basic data structure already yields a natural 
ordering on Boolean polynomials as the following theorem shows. 

Theorem 53. Let f be a Boolean polynomial and z the corresponding ZDD. 
If P is a path in z, then m — Wn^^p x{ni,) , with x{n) denoting the decision 
variable of a node n, is a term (and monomial) in f . Furthermore, the natu- 
ral path sequence (Pi, P25 • • • , Ps) yields the monomials of f in lexicographical 
order, and the first path of z determines the lexicographical leading monomial 
off. 



PROOF. First note, that for a given path (ni,n2, . . . ,n^), its ordered se- 
quence of decision variables (a;(ni), a;(n2), . . . ,a;(n^)) denotes a formal word 
in a^i, ■ ■ ■ , Xn, which can be identified with the monomial given by the prod- 
uct x{ni) ■ x{n2) ■ . . . ■ x{nm)- The first statement is then a consequence of 
the representation of polynomials as decision diagrams and the node elimi- 
nation rule of ZDDs. The natural ordering of Definition 52 defines then an 
ordering on the corresponding formal words. The latter coincides with the 
lexicographical ordering, by comparison of the definitions. Therefore, the nat- 
ural path sequence yields the monomials of a polynomials lexicographically 
ordered, starting with the leading term. 



Monomials can be represented as single-path ZDDs. This enables procedures 
of monomials, analogously to an implementation using linked lists, but due 
to the canonicity of the binary decision diagram, equality check is immediate. 
From the implementation point of view, it is not always necessary to generate 
a ZDD-based representation for a monomial. In case, that just some properties 
are to be checked, and the monomial is not used in the further procedure, these 
tests can also be done on a stacked sequence of nodes, representing a path in 
the ZDD. This kind of stack is used in procedures, which iterate over all terms 
w. r. t. the natural path sequence of a ZDD. Hence, in this case it is already 
available without additional costs. 



3.4- i Degree and block orderings 

Support of degree orderings are important for Grobner algorithms, for two 
reasons. First of all, they are necessary for certain algorithms, and second, 
because of their better performance in most cases. A naive approach would be 
unrolling all possible paths first, generating all monomials, and selecting the 
first among those of maximal degree. But this procedure could not be cached 
efficiently. For a Boolean polynomial p — x • pi + po with top variable x a 
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recursive formula is 



LM(p) = < 



X ■ LM(pi) if deg(LM(pi)) + 1 > deg(LM(po)) 
LM(po) else . 



But still this variant accumulates many single-serving terms. This can be 

avoided by calculating dcg(/) = max( deg(then(/)) + 1, deg(else(/)) ) sepa- 
rately Caching deg(/) makes the degree available for all recursively generated 
subpolynomials. Algorithm 5 utilises this for computing LM(/). Similarly, 

Algorithm 5 Degree-lexicographical leading term LM(/) 
Input: / G B 

if deg(/) = then return 1 
if not isCached(LM, /) then 

if deg(/) = deg(then(/)) + 1 then 

cache(LM, /) = top(/) • LM(then(/)) 
else 

cache(LM,/) = LM(else(/)) 
return cache(LM, /) 

monomial comparisons and path sequences which yield polynomial terms in 
degree-lexicographical order can be implemented. 

A degree-reverse-lexicographical ordering can be handled in a similar manner. 
But for this purpose, it is more efficient to reverse the order of the variables, 
and the search direction as well. In particular, the leading monomial corre- 
sponds to last path in the natural path sequence with maximal cardinality, 
and Algorithm 5 can easily be adapted to this case by replacing the condi- 
tion (deg(/) = deg(then(/)) + 1) by (deg(/) ^ deg(else(/))). 

Another important feature are block orderings made of degree orderings. 
For this purpose, a block degree can be computed by equipping the degree- 
computation with a second argument, which marks the end of the current 
block (i.e. that block containing the top variable). Having such a blockdeg 
functionality at hand the leading term computation for a composition of 
degree-lexicographical orderings can be obtained by extending Algorithm 5 
with an iteration over all blocks. 



3. 5 Theory of Boolean Grobner Bases 



In this section, we present the theory of Grobner bases over Boolean rings. 
In the following, we always assume, that the monomial ordering is global 
(so LM(a;^ + x) = x^ for every variable x). Since B = Z2[x]/(FP) this is 
mathematically equivalent to the theory of Grobner bases over the quotient 
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ring. In the classical setting this would mean to add the field polynomials FP to 
the given generators S* C B of a polynomial ideal and compute a Grobncr basis 
of {S, FP) in Z2[x]. This general approach is not well-suited for the special case 
of ideals representing Boolean reasoning systems. Therefore, we propose and 
develop algorithmic enhancements and improvements of the underlying theory 
of Grobner bases for ideals over Z2[x] containing the field equations. Using 
Boolean multiplication this is implementable directly via computations with 
canonical representatives in the quotient ring. The following theorems shows, 
that it suffices to treat the Boolean polynomials introduced in section 3.1 only. 

Theorem 54. Let S C Z2[x] be a generating system of some ideal, such 
that FP C S* C BUFP. Then all polynomials created in the classical Buchberger 
algorithm applied to S are either Boolean polynomials or field polynomials, if 
a reduced normal form is used. 

PROOF. All input polynomials fulfill the claim. Furthermore, every reduced 
normal form of an s-polynomial is reduced against FP, so it is Boolean. More- 
over, using Boolean multiplication every polynomial inside the normal form 
algorithm is Boolean. Using Boolean multiplication at this point is equivalent 
to usual multiplication and a normal form computation against the ideal of 
field equations afterwards. 

Remark 55. Using this theorem we need field equations only in the gen- 
erating system and the pair set. On the other hand, we can implicitly as- 
sume, that all field equations are in our polynomial set, and then replace the 
pair {xi,p) (using Boolean multiplication) by the Boolean polynomial given 
A^i^(spoIy(,Tj,p)|FP). In this way wc can eliminate the field equa- 
tions completely. A more efficient implementation would be to represent the 
pair by the tuple {i,p), as this still allows the application of the criteria, but 
delays the multiplication. 

Lemma 56. The set of field equations FP is a Grobner basis. 

PROOF. Every pair of field equations has a standard representation by the 
product criterion. Hence FP is a Grobner basis by Buchberger's Criterion [9, 
Theorem 1.7.3] 

Theorem 57. Every I C Z2[x] with I D (FP) is radical. 

PROOF. Consider p G Z2[x], w. 1. o. g. assume p is reduced against the lead- 
ing ideal L(/). In particular LM{p) is a Boolean polynomial. Let n > and q 
be the unique reduced normal form of p'* w. r.t. the field ideal. So q is also 
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a Boolean polynomial. Since — 5 is a linear combination of field equa- 
tions, — g is the zero function over Z2. By Corollary 45 we get p = q, 
since and p define the same Boolean function. Suppose now p"" e /. Then 
we have p = q = p'^ — [p^ — q) G /, since / D (FP). 

Note that for FP C / C Z2[x] the algebraic set V(/) is equal to the a priori 
larger set (x e Z2"|/(a;) = OV/ e /}, where Z2 denotes the algebraic closure 
of Z2. Hence we have 

Corollary 58. For ideals / C Z2[x] with / D (FP) the following stronger 
version of Hilbert's NuUstellensatz holds: 



(1) / = ^ V(7) = 0, 

(2) I(V(7))=7. 

Lemma 59. If / = (p, FP) then V{I) 
with Y{q) D V(p) hes in I. 



= V{p) and every polynomial q G Z2[x] 



PROOF. Simple application of Hilbert's NuUstellensatz. 

It is an elementary fact, that systems of logical expressions can be described 
by a single expression, which describes the whole system behaviour. Hence, 
the one-to-one correspondence of Boolean polynomials and Boolean functions 
given by the mapping defined in Definition 47 motivates the following theorem. 

Theorem 60. Every ideal in Z2[x]/ (FP) is generated by the equivalence class 
of one unique Boolean polynomial. In particular, Z2[x]/(FP) is a principal 
ideal ring (but not a domain). 

PROOF. We use the one-to-one correspondence of ideals in the quotient 
ring and ideals in Z2[x] containing (FP). Therefore, let (FP) C / C Z2[x]. 
By Corollary 46 there exists a Boolean polynomial p s. th. V((p, FP)) = V(/). 
By Theorem 58 we get I — /(V((p, FP))) = (p, FP). Suppose, there exists a 
second Boolean polynomial q with I — {q, FP) . Then 

V{p) = V{I) = V{q). 

So p and q define the same characteristic function, which means that they are 
identical Boolean polynomials. 

Hence, using Theorem 44, Corollary 46 and Corollary 58, we have the following 
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bijections: 

B <-> {Boolean functions} <-> 
{ideals I C Zsfx] with FP C /} ^ 
{algebraic subsets of TI^} {subsets of II^} . 

Definition 61. For any subset H C Z2[x], call 

BI{H) := {H, FP) C Z2[x] 

the Boolean ideal of H. We call a reduced Grobner basis of Bl(if) the Boolean 
Grobner basis of H, short BGB(if). 

Recall from Theorem 54 that BGB(if) consists of Boolean polynomials and 
can be extended to a reduced Grobner basis of Bl(if) by adding some field 
polynomials. 

Theorem 62. Let p, g e B with V(p) C V(g). Then (p, FP) D (g, FP) and we 
say p implies q. This implication relation forms a partial order on the set of 
Boolean polynomials. 



PROOF. Since both ideals are radical, Hilbert's NuUstellensatz gives the 
ideal containment. The implication is a partial order by the one-to-one corre- 
spondence between Boolean polynomials and sets. It corresponds itself to the 
inclusion of sets. 



3. 6 Criteria 

Criteria for keeping the set of critical pairs in the Buchberger algorithm small 
are a central part of any Grobner basis algorithm aiming at practical effi- 
ciency. In most implementations the chain criterion and the product criterion 
or variants of them are used. 

These criteria are of quite general type, and it is a natural question, whether 
we can formulate new criteria for Boolean Grobner bases. Indeed, this is the 
case. There are two types of pairs to consider: Boolean polynomials with field 
equations, and pairs of Boolean polynomials. We concentrate on the first kind 
of pairs here. 

Theorem 63. Let f E M be of the form f = I ■ g, I a polynomial with linear 
leading term Xi, and g e Z2[x] be any polynomial. Then spoly(/, -\- Xi) has 
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a nontrivial t-representation against the system consisting of f and the field 
equations. 

The theorem was proved by Brickenstein in [21]. 

Lemma 64. Let G be a Grobner basis, / a polynomial, then {/ • g\g e G} is 
Grobner basis. 

Remark 65. This lemma is trivial, we just want to show the difference to the 
next theorem. 

Theorem 66. Let G be a Boolean Grobner basis, I e B with deg(LM(Z)) = 1 

and supp(/) fl supp((?) = for all g E G. Then {I ■ g\g E G} is a Boolean 
Grobner basis that is, {I ■ g\g E G} U FP is a Grobner basis. In other words, 
we get a Grobner basis again by multiplying the Boolean polynomials, but not 
the field equations with the special polynomial I. 



PROOF. We show, that every s-polynomial has a non-trivial t-representation. 

We have to consider three types of pairs. If p, q are both field polynomials, 
spoly(p, q) has a standard representation by the product criterion. If p, q are 
both Boolean polynomials, then spoly(/ -p^l ■ q) has a standard representation 
by multiplying the standard representation of spoly(p, q) by L Now let p be a 
Boolean polynomial and q a field polynomial, say q — -\- x. If LM(Z) = x, 
then spoly(/ -p, q) has a nontrivial t-rcprcsentation by Theorem 63. If x occurs 
in LM(p), then by Lemma 64 spoly(/ ■ p,l ■ q) has a standard representation 
against {I ■ g\g G G} U {/ • e|e e FP}, so also against the set {/ ■ g\g G G} U FP. 
Hence, we just have to show, that the difference to spoly(/ ■ p,l ■ q) has a t- 
representation with t < LM(p) • LM(Z) • x :— c. Setting 

h := spoly(/ ■ p,l ■ {x^ + x)) — spoly(/ ■ p,x'^ + x) = tail(/) • {x^ + x) 

we get that x'^ + x divides h, and LM{h) = LM((x + 1) • tail(/)) ■ x < c, 
since LM(p) contains x. So h has standard representation against x"^ + x. If 
X does neither occur in LM(/) nor in LM(/) the product criterion applies. 
Reducedness follows from the fact, that / does not share any variables with G. 



3. 7 Symmetry and Boolean Grobner bases 

In this section we will show how to use the theory presented in the previous 
section to build faster algorithms by using symmetry and simplification by 
pulling out factors with linear leads. 
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For a polynomial p we denote by vars(p) the set of variables actually occurring 
in the polynomial. 



Definition 67. Let p be a polynomial in Z2[x] with a given monomial order- 
ing >, I vars(p)| = A;, / = vars(p) = {xi^, Xi^}, and J = {xj^, . . . , x^,, } be 
any set of k variables. We call a morphism of polynomials algebras over Z2, 

/ : Z2[/] Z2[J] : Xi^ Xj^ for aU s , 

a suitable shift for p, if and only if for all monomials ti,t2 G Z2[/] the rela- 
tion ti > t2 <^=^ f{ti) > f{t2) holds. 

Remark 68. In the following we concentrate on the problem of calculating 
BGB(p) for one Boolean polynomial p (non-trivial, as field equations are im- 
plicitely included). So, if wc know BGB(g) for a Boolean polynomial q and if 
there exists a suitable shift / with f{q) = then /(BGB(g)) = BGB(p). 
Hence, we can avoid the computation of BGB(p). Adding all elements of 
BGB{p) to our system means that we can omit all pairs of the form (p, x1+Xi). 
A special treatment (using caching and tables) of this kind of pairs is a good 
idea, because this is a often reoccurring phenomenon. As these pairs depend 
only on p (the field equations are always the same), this reduces the number 
of combinations significantly. 

Remark 69. Note, that the concept of Boolean Grobner bases fits very well 
here, as BGB(p) is the same in Z2[vars(p)] as in Z2[x], although the last case 
refers to a Grobner basis with more field equations. 

Definition 70. We define the relation p r^pre q, if and only if there exists a 
suitable shift between p and q or if there exists an I with deg(LM(Z)) = 1 and 
p — I ■ q- From ^p^e we derive the relation ^sym as its refiexive, symmetric, 
transitive closure (the smallest equivalence relation containing ~pre)- 

Remeirk 71. For all p and q in an equivalence class of '^sym the Boolean 
Grobner basis BGB(p) can be mapped to BGB(g) by a suitable variable shift 
and pulling out (or multiplying) by Boolean polynomials with linear lead. 
In practise, we can avoid complete factorizations by restricting ourselves to 
detect factors of the form a; or a; + 1. Using these techniques it is possible to 
avoid the explicit calculation of many critical pairs. 

Definition 72. A monomial ordering is called symmetric, if the following 
holds. For every /c, and every two subsets of variables / = {xj^, . . . , Xj^.}, 
and J = {xjj^, . . . ,Xj^} with < iz+i, jz < jz+i ior all z the Z2-algebra 
homomorphism 

/ : Zaf/] Z2[J] : Xi^ ^ Xj^ 

defines a suitable shift. 
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Algorithm 6 Calculating BGB(p) in a symmetric order 
Input: p G B, > a monomial ordering 
Output: BGB(p) 

pull out as many factors with linear lead as possible 

calculate a more canonical representative q of the equivalence class of p in 
~sj/m by shifting p to the first variables 
if q lies in a cache or table then 

B := BGB(g) from cache 
else 

B :— BGB(g) by Buchberger's algorithm 
shift B back to the variables of p 
multiply B by the originally pulled out factors 
return B 

For a symmetric ordering it is always possible to map a polynomial p to the 
variables Xi, . . . , a;| vars{p)| by a suitable shift. This is utilised in Algorithm 6 for 
speeding up calculation of Boolean Grobner bases. In the following we assume 
that the representative chosen in the algorithm is canonical (in particular 
uniquely determined in the equivalence class in ^sym), if every factor with 
linear lead is pulled out. 

Remark 73. From the implementation point of view, it turned out to be 
useful to store the BGB of all 2^^ Boolean polynomials in up to four variables 
in a precomputed table, for more variables we use a dynamic cache (pulling 
out factors reduces the number of variables) . Using canonical representatives 
increases the number of cache hits. 

The technique for avoiding explicit calculations can be integrated in nearly 
every algorithm similar to the Buchberger's algorithm. Best results were made 
by combining these techniques with the algorithm slimgb [22], we call this 
combination symmgbGF2. For our computations the strategy in slimgb for 
dealing with elimination orderings is quite essential. 

Practical meaning of symmetry techniques 

The real importance of symmetry techniques should not only be seen in avoid- 
ing computations in leaving out some pairs. In constrast, application of the 
techniques described above changes the behaviour of the algorithm completely. 
Having a Boolean polynomial p, the sugar value [23] of the pair {p, + x) is 
usually deg(p) + 1, which corresponds to the position in the waiting queue of 
critical pairs. It often occurs that in BGB(p) polynomials with much smaller 
degree occur. 

Having these polynomials earlier, we can avoid many other pairs in higher 
degree. This applies quite frequentely in this area, in particular, when we 
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have many variables, but the resulting Grobner basis looks quite simple (for 
example linear polynomials). The earlier we have these low degree polynomials, 
the easier the remaining computations are, resulting in less pairs and faster 
normal form computations. 



4 Applications 

The algorithms described in section 2 resp. 3 have been implemented in SINGU- 
LAR [24] resp. the PolyBoRi framework [21]. We use these implementations 
to test our approach by computing realistic examples from formal verification. 
We compare the computations with other computer algebra system and with 
SAT-solvers, all considered to be state-of-the-art in their field. 

Moreover, we state open questions and conjectures, in particular in the case 
of Grobner bases over rings, an area which is not very much explored. 

The application of Grobner bases over l^^ is still under development. Here we 
mention mainly problems in connection with the proposed applications. On 
the other hand we show that the improvements developed in section 2.2 and 
section 2.3 for Grobner bases over weak factorial principal rings are extremely 
useful for computations over these rings. 

J^.l Standard bases over rings 

Let us recapitulate the original problem first, which was posed in section 1.3.1. 

Problem 74. Given a finite set of polynomials {/j} C Z2«. Does a common 
zero of the system {/j = 0} exist, i.e. is V((/i)) ^ 0? 

To answer this question with the help of computer algebra and Grobner bases 
theory, the following key problems have to be solved. 

Problem 75. 

(1) An efficient algorithm^ to compute Grobner bases over 2,2^- 

(2) A way to handle vanishing polynomials, i. e. polynomials evaluating to 
zero everywhere. 



^ Here and in the following efficient refers to practical performance and not to the 
complexity of the algorithms. 
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#vars. 


#polys. 


maxdeg 


#mons. 
#polys. 


#GB 


Singular 


Magma 


2 


5 


15 


69.2 


3 


0.40 s 


4.11MB 


68.16 s 13.57 MB 


3 


3 


10 


6.7 


254 


8.50 s 


17.23 MB 


1287.80 s 19.60 MB 


3 


3 


15 


7.4 


599 


204.82 s 


146.98 MB 


time out after Ih 


4 


4 


10 


2.8 


120 


0.04 s 


0.87 MB 


10.68 s 9.52 MB 


4 


4 


10 


3.0 


361 


20.36 s 


32.24 MB 


time out after Ih 


5 


5 


10 


2.4 


584 


0.15s 


1.09 MB 


455.35 s 30.07 MB 


5 


5 


10 


2.8 


1043 


1.11s 


2.34 MB 


time out after Ih 


7 


5 


10 


2.0 


614 


0.14 s 


1.14MB 


40.06 s 35.35 MB 


7 


5 


10 


2.2 


2547 


2.23 s 


3.03 MB 


time out after Ih 


10 


10 


4 


1.9 


436 


0.11s 


1.09 MB 


92.45 s 16.75 MB 


10 


10 


4 


3.0 


11734 


963.39 s 


341.70 MB 


time out after Ih 


12 


10 


3 


2.3 


5536 


18.40 s 


16.75 MB 


time out after Ih 


12 


10 


3 


3.0 


1940 


3.69 s 


13.12 MB 


time out after Ih 



Table 1 



Computation of a Grobner basis in ^210 with degree reverse lexicographical ordering. 
Randomly generated examples on an AMD Dual Opteron 2.2 GHz, 16 GB RAM. 

(3) A suitable NuUstellensatz equivalent for Z2n[x], or at least a simple 
Grobner basis criterion for the existence of a common zero over some 
extension ring. 

In section 2 we explained, how an efficient algorithm for Problem 75(1) can 
be instantiated. In order to optimise the algorithm in the case of Z on we can 
replace all greatest common divisor computations by fast divisibility tests. 

We implemented the algorithm in the kernel of the computer algebra system 
Singular [24] and compared the performance to Magma, the only other 
system we found to be capable of computing Grobner bases in Z2n. As we 
could not solve industrial-sized problems due to time and space explosion we 
compared the implementations with random instances. In Tabic 1 wc present 
only a few concrete runtimes, but they give an overall impression of the data. 
The table shows that the special algorithms for Z^n (apparently not contained 
in Magma) pay off substantially. 

To deal with Problem 2, that is with the ideal of vanishing polynomials in Z^ 
with m e N we determined the minimal Grobner basis Go of 

h {/ e Z^ I Vx : /(x) = 0} 

combinatorially (cf. [5]). The size of Go grows roughly with SM(m)*'^'''^'^^^^, 
where SM(m) is the Smarandche function [25]. Hence, for atypical application 

instance of formal verification just listing the ideal Gq becomes infeasible. We 
therefore devised a method of constructing only the necessary elements of Gq 
for s-polynomial and normal form computations, but even their number grows 
exponentially in the number of variables. 
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Another obstacle, related to this one, arises while investigating the modeling 
strength of polynomials functions in comparison to arbitrary functions from 
— >• Z^. Here we have the following 

Observation 76 ([5]). There are many more functions Z"^ Z„, than poly- 
nomial functions and many more subsets of ZJ^ than varieties if m is not a 
prime number. The quotient of all functions by polynomial functions grows at 
least double-exponentially in the number of variables. If m is a prime, then all 
functions respectively subsets of Z^ are polynomial, respectively algebraic. 

The following conjecture was verified for small m, n. 

Conjecture 77. A function Z"^ Z^ is polynomial if and only if New- 
ton interpolation works. This means that the division during the algorithm is 
possible, but not necessarily unique. 

With respect to Problem 75 (3) we mention the following lemma which is a 
negative result. 

Lemma 78. Let C be a ring with zero divisors. There exists no ring C D C, 
such that every non-constant polynomial of C[x] has a zero in C. 

PROOF. Let n G C\{0} be a zero divisor and consider f = nx — 1. Assume 
there exists a ring C D C which contains a root r of /. Then /(r) = n-r — 1 = 
and hence 1 = n ■ r. On the other hand, there exists an m 7^ with m ■ n = 
and hence m-1— m-n-r — 0,ei contradiction. 

Remark 79. If C has no zero divisors then a ring C as in Lemma 78 exists. 
We may take C just as the algebraic closure of the quotient field of C. If / 
is an ideal in C[x] we set V(/) := {x e C"' | /(x) = V/ G /} and get the 
following answer to Problem 75 (3): Let G C C[x] be a Grobner basis of /. 
Then V(/) = iff G contains a non-zero element of C. 

However, if C has zero divisors, it is not clear how a useful answer to Prob- 
lem 75 (3) should look hke. 

4.2 The PolyBoRi Framework 

Wc will give a brief description of the PolyBoRi framework [21] and the 
implemented algorithms. At the end of this section, the time and space re- 
quirements of some benchmark examples are compared with those of other 
computer algebra systems and a SAT-solver. 



38 



The core routines of PolyBoRi form a C++ library for Po/?/nomials over 
i?oolean Rings providing high-level data types for Boolean polynomials and 
monomials, exponent vectors, as well as for the underlying Boolean rings. 
The ZDD structure, which is used as internal storage for polynomials and 
monomials, is based on a data type from CUDD [26]. 

In addition, basic polynomial operations - like addition and multiplication - 
have been implemented and associated to the corresponding operators. PoLY- 
BoRl's polynomials also provide ordering-dependent functionality, hke lead- 
ing-term computations, and iterators for accessing polynomial terms in the 
style of Standard Template Library^ s iterators [27]. This is implemented by a 
stack, which holds a valid path. The corresponding monomial may be returned 
on user request, and incrementing the iterator results in a search for a valid 
path, corresponding to next term in monomial order. The ordering-dependent 
functions are currently available for the orderings introduced in section 3.4 
and block orderings thereof. 

Issues regarding the monomial ordering and the internal data structure are 
hidden behind a user programming interface. This allows the formulation of 
generic procedures in terms of computational algebra, without the need for 
caring about internals. This will then work for any applicable and implemented 
Boolean ring. 

Complementary, a complete Python [28] interface allows parsing of complex 
polynomial systems. Rapid prototyping of sophisticated and easy extendable 
strategies for Grobncr base computations was possible by using this script 
language. With the tool ipython the PolyBoRi data structures and proce- 
dures can be used interactively. In addition, interfaces to the computer algebra 
system Singular [24] und the SAGE system [29] are under development. 

4 -3 Timings 

This section presents some benchmarks comparing PolyBoRi to general pur- 
pose and specialised computer algebra systems. The following timings have 
been done on a AMD Dual Opteron 2.2 GHz (all systems have used only 
one CPU) with 16 GB RAM on Linux. The used ordering was lexicographi- 
cal, with the exception of FGb, where degree-reverse-lexicographic was used. 
PolyBoRi also implements degree orderings, but for the presented practical 
examples elimination orderings seem to be more appropriate. A recent de- 
velopment in PolyBoRi was the implementation of block orderings, which 
behave very natural for many examples. 

We compared the computation of a Grobner basis for the following system 
releases with the development version of PolyBoRi's symmgbGF2: 
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s MB 
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0.91 10.48 
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0.66 
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0.01 


54.66 


219.09 6.37 


236.14 


6.87 


31.28 46.05 


0.01 


1.67 


mult6x6 
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0.03 


54.92 


failed 


oo 




oo 


4.28 


21.19 


multSxS 


203 


188 


0.40 


55.43 


oo 


oo 




oo 




oo 


multlOxlO 


313 


294 


18.11 


85.91 


oo 




oo 


oo 




oo 



Table 2 



Timings and memory usage for benchmark examples. The oo symbols in time and 
memory columns mark timeout after 1 hour and out of memory at 15 GB. 



Maple 11.01, June 2007 Grobner package, default options 

FGb 1.34, Oct. 2006 via Maple 11.01, command: fgb_gbasis 

Magma 2.13-10, Feb. 2007 command: GrocbncrBasis, default options 

Singular 3-0-3, May 2007 std, option (redTail) 

Note, that this presents the state of PolyBoRi in the development version in 
August 2007 only. Since the project is very young there is still room for major 
performance improvements. The examples were chosen from current research 
problems in formal verification. All timings of the computations (lexicograph- 
ical ordering) are summarised in Table 2. 



The authors of this article are convinced, that the default strategy of Magma 
is not well suited for these examples (walk, see [31], or homogenisation). How- 
ever, when we tried a direct approach in Magma, it ran very fast out of mem- 
ory (at least in the larger examples). We can conclude, that the implemented 
Grobner basis algorithm in PolyBoRi offers a good performance combined 
with suitable memory consumption. Part of the strength in directly comput- 
ing Grobner bases (without walk or similar techniques) is inherited from the 
slimgb algorithm in SINGULAR. On the other hand our data structures provide 
a fast way to rewrite polynomials, which might be of bigger importance than 
sparse strategies in the presented examples. 

In order to treat classes of examples, for which the lexicographical ordering 
is not the best choice, PolyBoRi is also equipped with other monomial or- 
derings. Although its internal data structure is ordered lexicographically, the 
computational overhead of degree orderings is small enough such that the ad- 
vantage of these orderings come into effect. Table 3 illustrates this for a series 
of randomly generated unsatisfiable uniform examples [32]. The latter arise 
from benchmarking SAT-solvers, which can handle them very quickly, as their 
conditions are easy to contradict. But they are still a challenge for the alge- 
braic approach. The strength of PolyBoRi is visible in the more complex 
examples, as it scales better than the other systems in tests. 
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44779.77 s 


12309.79 MB 


oo 










dlex 


11961.86 b 


6101.43 MB 


oo 










dp_asc 


10635.72 b 


6146.47 MB 


CX3 




failed 



Table 3 

Timings and memory usage for Grobner basis computations w. r. t. various order- 
ings. The oo symbols means timeout after 2 days, failed stopped with error message, 
and dp_asc denotes dp with reversed variable order. 
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0.01s 


54.66 MB 


0.01s 


1.95 MB 


mult6x6 


117 


106 


0.03 s 


54.92 MB 


0.03 s 
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multSxS 


203 


188 


0.40 s 


55.43 MB 


0.96 s 


2.21MB 


multlOxlO 


313 


294 


18.11s 


85.91MB 


22.85 s 


3.61MB 



Table 4 

Deciding satisfiability with PolyBoRi using Grobner basis computations in com- 
parison with MiniSat, a state-of-the-art SAT solver. 

In addition the performance of PolyBoRi is compared with the freely avail- 
able SAT-solver MiniSat2 (release date 2007-07-21), which is state-of-the-art 
among publicly available solvers [33]. The examples consist of formal veri- 
fication examples corresponding to digital circuits with n-bitted multipliers 
and the pigeon hole benchmark, which is a standard benchmark problem for 
SAT-solvers, e.g. used in in [32]. The latter checks whether it is possible to 
place n + 1 pigeons in n holes without two of them being in the same hole (ob- 
viously, it is unsatisfiable) . 

Although the memory consumption of PolyBoRi is larger. Table 4 illustrates 
that the computation time of both approaches is comparable for this kind 
of practical examples. (The first part of the table was computed using the 
preprocessing motivated by Theorem 60.) In particular, it shows, that in our 
research area the algebraic approach is competitive with SAT-solvers. 

The advantages of PolyBoRi are illustrated by the examples above as follows: 
the fast Boolean multiplication can be seen in the pigeon hole benchmarks. 
The computations of the uuf problems include a large number of generators, 
consisting of initially short polynomials, which lead to large intermediate re- 
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suits. The algorithmic improvement of symmgbGF2 and the optimised pair 
handling render the treatment of these example with algebraic methods pos- 
sible. 

In this way the initial performance of PolyBoRi is promising. The data 
show that the advantage of PolyBoRi grows with the number of variables. 
For many practical applications this size will be even bigger. Hence, there 
is a chance, that it will be possible to tackle some of these problems in fu- 
ture by using more specialised approaches. A key point in the development of 
PolyBoRi is to facihtate problem specific and high performance solutions. 



5 Conclusions 

For efficient treatment of bit-level formulations of digital systems we have de- 
veloped specialised methods for the analysis of polynomial systems in Boolean 
rings, that is quotient rings of the form Z2[x] modulo the field polynomials. 
For this purpose improvements were achieved on multiple levels. On one hand, 
a tailored data structure was introduced to represent Boolean polynomials 
which correspond to canonical representatives of the elements in the quotient 
ring. This structure, which is derived from zero-suppressed binary decision 
diagrams (ZDDs), is compact and allows to apply operations used in Grobner 
basis computations in reasonable time. Further, enhancement were due to 
the speciahsed Grobner basis algorithm symmgbGF2 itself. Exploiting special 
properties in the Boolean case, special criteria for keeping the set of critical 
pairs small were proposed. In addition, (recursive) caching of previous com- 
putations and utilising symmetry makes it possible to efficiently reuse results 
arising from likewise polynomials. Also, the PolyBoRi system, a framework 
for Boolean rings, was presented as reference implementation for symmgbGF2 
and for the ZDD-based data structure representing Boolean polynomials. 

Word- level formulations of digital systems lead us to investigate Grobner bases 
over rings. More generally, we developed the theory of standard bases over 
rings for which systems of hnear equations can be solved effectively. For weak 
factorial principal ideal rings we developed special criteria for s-polynomials 
and for the normal form algorithm which proved effective. 

The PolyBoRi framework for Boolean Grobner bases showed that - in par- 
ticular if there are no immediate counter examples - the proposed approach 

has already reached the same level as a state-of-the-art SAT-solver at least 
for some standard benchmark examples. The advantage of an effective theory 
of Boolean Grobner basis is, that they are a general and flexible tool which 
opens the door to computational algebra over Boolean rings. 
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